diff options
author | Gavin Andresen <gavinandresen@gmail.com> | 2011-09-26 06:12:59 -0700 |
---|---|---|
committer | Gavin Andresen <gavinandresen@gmail.com> | 2011-09-26 06:12:59 -0700 |
commit | 5df25e78db8257df5dc5f71073cb31d9ae16711c (patch) | |
tree | 25e8a0c8065be14b052014172658ad7732dd2064 /src | |
parent | 17e2c24645a10354849dec917b31f364e9056d58 (diff) | |
parent | 3f94dfa25fc1b0e838d368a9b2683a634cd3a60c (diff) |
Merge pull request #513 from cjdelisle/feature-hardening
Hardening
Diffstat (limited to 'src')
-rw-r--r-- | src/makefile.unix | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/src/makefile.unix b/src/makefile.unix index 2b7f3f679d..b893853fd0 100644 --- a/src/makefile.unix +++ b/src/makefile.unix @@ -36,8 +36,36 @@ LIBS+= \ -l pthread +# Hardening +# Make some classes of vulnerabilities unexploitable in case one is discovered. +# + # Stack Canaries + # Put numbers at the beginning of each stack frame and check that they are the same. + # If a stack buffer if overflowed, it writes over the canary number and then on return + # when that number is checked, it won't be the same and the program will exit with + # a "Stack smashing detected" error instead of being exploited. + HARDENING=-fstack-protector-all -Wstack-protector + + # Make some important things such as the global offset table read only as soon as + # the dynamic linker is finished building it. This will prevent overwriting of addresses + # which would later be jumped to. + HARDENING+=-Wl,-z,relro -Wl,-z,now + + # Build position independent code to take advantage of Address Space Layout Randomization + # offered by some kernels. + # see doc/build-unix.txt for more information. + ifdef PIE + HARDENING+=-fPIE -pie + endif + + # -D_FORTIFY_SOURCE=2 does some checking for potentially exploitable code patterns in + # the source such overflowing a statically defined buffer. + HARDENING+=-D_FORTIFY_SOURCE=2 +# + + DEBUGFLAGS=-g -D__WXDEBUG__ -CXXFLAGS=-O2 -Wno-invalid-offsetof -Wformat $(DEBUGFLAGS) $(DEFS) +CXXFLAGS=-O2 -Wno-invalid-offsetof -Wformat $(DEBUGFLAGS) $(DEFS) $(HARDENING) HEADERS = \ base58.h \ bignum.h \ |